greg hughes - dot net
Note that the contents of this site represent my own thoughts and opinions, not those of anyone else - like my employer - or even my dog for that matter. Besides, the dog would post things that make sense. I don't.

DNS has a hole in it. Bad guys are working on exploits right now. Patches are available right now. Anyone responsible for a DNS server needs to exercise that responsibility. Right Now.

Dan Kaminsky found a security hole in DNS recently, the details of which he was keeping quiet so providers could fix and release patches and DNS server owners could get those patches deployed, in order to avoid security breaches on the Internet. His intent was to release the gory details in a couple weeks at the Black Hat conference.

But the other day word of the details inadvertently leaked out, and so now everyone responsible for a DNS system must - and I do mean must - drop what they're doing and make sure their systems are patched and safe. Failure to do so puts Internet users at risk of site fraud and hijacking.

DNS is a system that translates names you can remember (like www.greghughes.net) to especially non-memorable numerical addresses the Internet can route (such as 208.109.238.146). It's the Internet's phone book, so to speak.

The security hole allows malicious people to spoof a web site using the actual, legitimate domain name. In other words, bad guys could hijack a DNS server, and if it happens to be one your computer relys upon, you could type in a legitimate address like www.google.com or www.yourbank.com, but the web page would be a malicious one - a fake. The recently-released patches plug the hole and prevent this misuse (although it doesn't really change the underlying protocol).

Aaron Massey wrote a very good post describing the issue and it's various details. He also links to Halvar Flake, a talented reverse-engineering guy who thought the threat through and pretty much guessed it right on his blog. After Halvar's guess, another security blog that had specific knowledge of the threat details confirmed Flake's hypothesis. As a result, the threat was disclosed.

Luckily, the various creators of the DNS systems used all over the Internet released patches about two weeks ago. The real question is, have you patched your servers? This is a critical flaw - it needs to be patched immediately.

This page was rendered at Tuesday, March 03, 2015 2:31:02 PM (Pacific Standard Time, UTC-08:00)

newtelligence dasBlog 2.1.8015.804

"Computers used to take up entire buildings, now they just take up our entire lives."

- Unknown

"So how do you know what is the right path to choose to get the result that you desire? And the honest answer is this... You won't. And accepting that greatly eases the anxiety of your life experience."

Chris was formerly my boss at work and is an avid board gamer and photographer. He always has some new info about top-notch board games you may have never heard of, so if you're into them, you should check out this blog.

Scott's computerzen blog is a popular spot for all things .NET and innovative. I used to work with him, but then he went off to Microsoft. He's one of the smartest guys I know, and arguably the best technical presenter around.